ConfigServer Community Forum

Hi all, I've been running CSF for years and I don't think I've ever seen this one... tonight I got an email saying 0.0.0.1 was blocked permanently. Checked the lfd logs and see entries like:

(CT) IP 0.0.0.1 (-/-/-) found to have 80 connections - *Blocked in csf* for 1800 secs [CT_LIMIT]

This appears to have started on Oct 5 (it's the first entry in the gzipped LFD log). I didn't think 0.0.0.1 was a valid IP... so how's this possible? Is there any way to get more information about this block?

It may be worth noting that some jerk has been hitting my server with a small-scale flood attack for over a year and LFD has performed like a champ at blocking the attacks . But that has always been on port 80 so I'm not sure if that's even related. Any help would be greatly appreciated!

You would really need to information from the email lfd will have sent to the root forwarder to find out more information. It's possible that it was junk traffic on the network local to the server that caused it. 0.0.0.1 is a valid IP, though certainly odd to see.

The only email I have is the "blocked permanently" email which was triggered from the temporary blocks. Because I've been DOS'd for so long I just disabled the "Blocked with too many connections" because I was getting > 100 of them per day. Is that information stored anywhere on the server?

Also, this would definitely be an incoming connection, right?

It would only be incoming, yes. Unfortunately, that is not stored on the server as it is a count of the number of connections from a given IP to the server rather than something picked up from logs.

Okay, that makes sense. I'll ask my host about it because it originated from their network and they might have an idea of where the requests came from. Thanks!